Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010 - Security-news

18 Dec 2019


      View online: https://www.drupal.org/sa-core-2019-010
Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 14∕25
AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities
Description: 
Drupal 8 core's file_save_upload() function does not strip the leading and
trailing dot ('.') from filenames, like Drupal 7 did.
Users with the ability to upload files with any extension in conjunction with
contributed modules may be able to use this to upload system files such as
.htaccess in order to bypass protections afforded by Drupal's default
.htaccess file.
After this fix, file_save_upload() now trims leading and trailing dots from
filenames.
Solution: 
Install the latest version:
* If you use Drupal core 8.7.x: 8.7.11 [3]
   * If you use Drupal core 8.8.x: 8.8.1 [4]
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.
Reported By: 
   * Rohit Kapur  [5]
   * Filipe Reis  [6]
   * Dan Reif  [7]
   * mramydnei  [8]
Fixed By: 
   * Lee Rowlands  [9] of the Drupal Security Team
   * Greg Knaddison  [10] of the Drupal Security Team
   * Michael Hess  [11] of the Drupal Security Team
   * Kim Pepper  [12]
   * Alex Pott  [13] of the Drupal Security Team
   * Derek Wright  [14]
   * Jess   [15] of the Drupal Security Team
   * David Rothstein  [16] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.7.11
[4] https://www.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/3623849
[6] https://www.drupal.org/user/3521501
[7] https://www.drupal.org/user/454444
[8] https://www.drupal.org/user/3529990
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/370574
[13] https://www.drupal.org/user/157725
[14] https://www.drupal.org/user/46549
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/124982